Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Copyright Š Tugboat Logic 2021. All rights reserved.
The Ultimate Survival Guide to ISO 27001
GUIDE
â Being able to achieve ISO 27001 compliance with Tugboat unlocked $6,000,000 in pipeline revenue for us. Thatâs only just a few clients, but those were clients we literally could not have landed without the Tugboat platform.
Adam Jaggers | CTOXOi Technologies
| Contents
Introduction 1
ISO 27001 Basics 2
A Step-by-Step Guide to ISO 27001 Certification
12
How Tugboat Logic Can Help 19
Conclusion 21
The Ultimate Survival Guide to ISO 27001 | 1
| Introduction
Letâs face it. ISO 27001 isnât the worldâs most exhilarating topic. But thatâs not why youâre here. Chances are, your companyâs thinking about getting certified and youâll be a key stakeholder for the project. Naturally, you want to know what ISO 27001 is all about. More than that, you want to set your team up for a successful audit.
This guide is going to reduce the time and money you spend getting certified. Beyond that, itâll demystify the process so that you can confidently manage your project end to end. Letâs take a look at what weâll be covering.
1. First, weâll unpack what ISO 27001 isâminus the unnecessary fluff.
2. Then, weâll provide you with a step-by-step guide to certification, with practical advice from our team of ex-auditors.
3. Finally, weâll show you how Tugboat Logic can help you get and stay compliant with less lift.
Okay, enough chit chat. Letâs do this thing.
đĄDid You Know?
Demand for ISO 27001 is booming. Certification has increased by 450% over the last ten years.1
1 Baker, Alice. Learn how to implement and maintain an ISO 27001-compliant ISMS with IT Governance. Itgovernance. April 8, 2019.
The Ultimate Survival Guide to ISO 27001 | 2
ISO 27001 Basics
The Ultimate Survival Guide to ISO 27001 | 3
đ Fun Fact
The ISO 27000 family includes 46 complementary standards. They provide an internationally recognized framework for information security best practices.
| ISO 27001 Basics
By now, youâve probably read a lot of information about ISO 27001. You might even be more confused about the standard than you were before. Thatâs totally okay.
The purpose of this section is to explain what ISO 27001 is all about as clearly and concisely as possible.
What Is ISO 27001?
First things first. The full name of the ISO standard is actually ISO/IEC 27001:2013 â Information technology â Security techniques â Information security management systems â Requirements.2
Itâs a mouthful, we know. Thatâs why we just call it ISO 27001.
Itâs the only international standard that provides requirements for an information security management system (ISMS). Its main goals are the availability, integrity and confidentiality of sensitive information. Unlike some other frameworks, which focus exclusively on IT, ISO 27001 applies to the entire organization.
If youâre curious about what ISO and IEC stand for, hereâs your answer: the International Organization for Standardization and the International Electrotechnical Commission. These organizations both govern ISO/IEC 27001.
2 ISO/IEC 27001:2013(en) Information technology â Security techniques â Information security management systems â Requirements. ISO.org. Accessed April 14, 2020.
The Ultimate Survival Guide to ISO 27001 | 4
đ Additional Reading
ISO.org breaks down every mandatory clause in ISO 27001.
What Is an Information Security Management System (ISMS)?
Generally speaking, an ISMS is a collection of policies and procedures that help you manage and protect your organizationâs sensitive information.
Pretty straightforward, right?
In the context of ISO 27001, thereâs a bit more to it.
You see, ISO 27001 has a series of requirements, otherwise known as mandatory clauses, that your organization must meet. Beyond that, it also includes a list of Annex controls. You only need to implement controls that are applicable to you.
That said, you need to provide a justification for why certain controls apply and others donât. But thatâs something you do in your Statement of Applicability, which weâll cover in more detail later on.
Letâs take a look at the mandatory clauses first.
The 24 Mandatory Clauses
To implement an ISMS thatâs ISO 27001 compliant, you need to provide specific documentation, as outlined in clauses 4.1 - 10.2 of the standard. They cover everything from scoping your ISMS (clause 4.3) to conducting internal audits at planned intervals (clause 9.2). None of these clauses are negotiable. You have to complete them all.
The Ultimate Survival Guide to ISO 27001 | 5
đĄDid You Know?
ISO 27001 has a list of 114 controls in Annex A of the standard. You only have to implement those that are applicable to your business. However, you must provide a justification for why certain controls apply while others donât.
The 114 Annex A Controls
Youâll also need to implement all applicable controls from Annex A. Hereâs a look at the fourteen categories of controls and what they cover.
â Annex A.5 - Information security policies (2 controls): How policies are written and reviewed.
â Annex A.6 - Organization of information security (7 controls): The assignment of responsibility for specific tasks.
â Annex A.7 - Human resource security (6 controls): Ensuring employees understand their responsibilities before employment.
â Annex A.8 - Asset management (10 controls): Identifying information assets and defining appropriate protection responsibilities.
â Annex A.9 - Access control (14 controls): Ensuring employees can only view data relevant to their position.
â Annex A.10 - Cryptography (2 controls): Encryption and key management of sensitive information.
â Annex A.11 - Physical and environmental security (15 controls): Securing the organizationâs premises and equipment.
â Annex A.12 - Operations security (14 controls): Ensuring information processing tools are secure.
â Annex A.13 - Communications security (7 controls): How to protect information in networks.
The Ultimate Survival Guide to ISO 27001 | 6
â Annex A.14 - System acquisition, development, and maintenance (13 controls): Ensuring that information security is a central part of the organizationâs systems.
â Annex A.15 - Supplier relationships (5 controls): The agreements to include in contracts with third parties.
â Annex A.16 - Information security incident management (7 controls): How to report disruptions, breaches, and whoâs responsible.
â Annex A.17 - Information security aspects of business continuity management (4 controls): How to address business disruptions.
â Annex A.18 - Compliance (8 controls): How to identify the laws and regulations that apply to your organization.
ISO 27001 is more rigorous than, say, SOC 2, and not just because the preparation and audit cycle take longer. It actually requires a lot of documentation. You must provide documentation for its 24 clauses and implement all applicable controls, without exception.
Thatâs all to say that it can be a tough nut to crack.
đ Fun Fact
ISO 27001 is based on the Plan-Do-Check-Act cycle (PDCA), which is used to continuously improve processes. Hereâs how it applies:
Plan: Establish your ISMS.
Do: Operationalize your ISMS.
Check: Monitor and review your ISMS.
Act: Maintain and improve your ISMS.
The Ultimate Survival Guide to ISO 27001 | 7
Why You Need ISO 27001
In most cases, businesses get ISO 27001 certified because a customer or prospect requires it. But thatâs not always the case. Others might be expanding into new markets and require a security framework thatâs purpose-built. Finally, some businesses position security as a competitive advantage and ISO 27001 provides excellent security assurance across every jurisdiction.
If you fit into one of the groups mentioned above, ISO 27001 is going to be critical to helping you achieve your goals.
What Does the ISO 27001 Audit Entail?
To get ISO 27001, you need to complete a two-stage external audit.
Stage 1: The Stage 1 audit is often called a âdocumentation reviewâ audit, because the auditor will review your processes and policies to establish whether theyâre in line with the requirements of ISO 27001. Theyâll also want to make sure your ISMS has been implemented. Here, theyâll only review your mandatory clauses. Typically, this takes one or two days.
Stage 2: The Stage 2 audit is often referred to as the âCertification Auditâ. During a Stage 2 audit, the auditor will conduct a thorough assessment to establish the effectiveness of the ISMS and its compliance with the ISO 27001 standard. The duration of stage two depends entirely on the size and complexity of your organization. When theyâre finished, theyâll recommend you for the standardâassuming you passed.
đĄDid You Know?
ISO 27001 has a list of 114 controls in Annex A of the standard. You only have to implement those that are applicable to your business. However, you must provide a justification for why certain controls apply while others donât.
The Ultimate Survival Guide to ISO 27001 | 8
Certification is valid for three years. However, in the two years following your certification, youâll be required to do surveillance audits to prove youâre still compliant. To be clear, these arenât pop quizzes. Your auditor will provide you with a scope of what theyâll be reviewing for your surveillance audit.
Finally, in the year following your second surveillance audit, youâll need to recertify.
đĄDid You Know?
You can spend 50% less time getting ISO 27001 certified by using Tugboat Logicâs audit workflow software.
The Ultimate Survival Guide to ISO 27001 | 9
The ISO 27001 Audit Cycle
Documentation Audit
Certification Audit
Year One Surveillance
Audit
Year Two Surveillance
Audit
Recertification Audit
Recertification Cycle
The Ultimate Survival Guide to ISO 27001 | 10
How Long Does It Take to Get ISO 27001?
Short answer: well, it depends.
If youâre an enterprise with multiple offices, youâre likely going to have a longer ISO 27001 journey. That said, having a security team and a compliance program can definitely speed things up. Thatâs because you probably already have controls in place that are also applicable to ISO 27001. Plus, you have the resources to manage your project.
If youâre a smaller company and you don't have a security program, you can expect it to take longer, since youâll be starting from scratch. Conversely, if you already have a bunch of controls in place, youâre looking at a much quicker timeline.
As a general rule, the audit itself typically takes between 2 - 6 months to complete. That includes both phases and the remediation of non-conformities, assuming your auditor identifies any.
With audit prep, thereâs a lot more variability.
You can get a better sense of how long itâll take to get certified on the following page.
đ Customer Quote
âWe literally couldnât have achieved ISO 27001 without Tugboat. We just didnât have the resources or the expertise, and we couldnât afford to spend another $150,000 on a consulting firm. It wasnât viable for us.â
Adam Jaggers | CTOXOi Technologies
The Ultimate Survival Guide to ISO 27001 | 11
ISO 27001 Certification Timeline by Company Size
By Company Size Using Internal Resources or a Contractor
Using Tugboat Logic
10 employees Up to 6 months Up to 3 months
Up to 50 employees 6 - 10 months 3 - 5 months
Up to 200 employees 10 - 14 months 5 - 9 months
More than 200 employees 14 - 18 months 9 - 12 months
The Ultimate Survival Guide to ISO 27001 | 12
A Step-by-Step Guide to ISO 27001 Certification
The Ultimate Survival Guide to ISO 27001 | 13
| A Step-by-Step Guide to ISO 27001 | Certification
Step 1: Learn About ISO 27001
Congrats, youâre already completing this step just by reading this guide. ISO 27001 can seem really complicated, especially when you look at all the conflicting information online.
But it doesnât have to be. If you need help finding your footing and would like to speak with someone who knows the ins and outs of the standard, donât hesitate to contact us. One of our ISO 27001 pros would be happy to answer any and all questions you might have.
Step 2: Assemble a Dream Team
Next, youâll want to assign a project manager and project sponsor. Your project manager is responsible for implementing your ISO 27001 ISMS. The sponsor should be invested in the projectâs success. Theyâll ensure it gets executive buy-in and have the authority to move things along. You may fit into either of these two roles.
If youâre a larger business, you might have a dedicated security team. In that case, your CISO might sponsor an ISO 27001 project that a security practitioner manages. Weâve worked with smaller startups where the CEO fills the sponsor role while a project manager handles execution on the ground.
The Ultimate Survival Guide to ISO 27001 | 14
Step 3: Find an Auditor
Youâre probably thinking: âHold up, isnât it a bit early in the game to be looking for an auditor?â
Most definitely not.
Think about it this way. Youâre going to be spending plenty of time with your auditor. You owe it to yourself and your business to choose someone whoâs easy to collaborate with. Here are some questions to consider:
â What kind of reputation do they have?â Whatâs their experience conducting ISO 27001 audits?â What kind of personality do they have? â How are their communication skills?â How expensive are they?â Whatâs their availability?â How responsive are they? â What does their approach look like?
If youâre looking for more guidance on choosing an auditor, we wrote a whole article on the topic. You can read it here.
One important point to remember. While itâs easy to villainize your auditor, they really do want to see you succeed. In fact, during your ISO 27001 audit, theyâll give you a number of opportunities to fix non-conformities. Theyâll also provide you with feedback and advice. They are a resource. So, be sure to use them.
đĽ Hot Tip
Asking a potential auditor the right questions up front ensures that there wonât be any unwelcome surprises later on.
The Ultimate Survival Guide to ISO 27001 | 15
Step 4: Define Your ISMS Scope
This step will determine the breadth and depth of your ISMS. Here, youâll need to identify where sensitive information is stored, including physical and digital files on all your systems or portable devices. That means youâll have to work cross-functionally. Try to be strategic by focusing on individuals in other departments who know their systems, information and level of risk. Theyâll enable you to accurately scope and ensure your ISMS aligns with your overarching strategy.
Step 5: Conduct Your Risk Assessment
The risk assessment is a critical component of ISO 27001. Itâs covered in clause 8.2 of the standard. As such, the entire process must be planned and documented, including the data, analysis and results.
ISO 27001 doesnât have a prescribed risk assessment methodology. So, how you do it, is totally up to you. Keep in mind, youâll need documentation that outlines:
â How you conducted your risk assessment
â A list of your information assets
â Risks associated with your information assets
â The tolerance your organization has for these risks (with an associated risk score that is consistent across your organization)
The Ultimate Survival Guide to ISO 27001 | 16
đ Critical Keywords
The Statement of Applicability (SoA) is a summary of your businessâ position on all 114 controls in Annex A of the ISO 27001 standard. In it, you clarify which controls you did and didnât implement and provide a justification for why.
â How you intend on treating these risks by either:
â Mitigating the risk: Implementing controls to reduce the possibility of occurrence.
â Avoiding the risk: Ceasing any activity that creates the risk.
â Transferring the risk: Using a third-party and outsourcing security efforts or purchasing cyber insurance to ensure you have funds in the event of a breach.
â Accepting the risk: Accepting the risk and considering the cost of treating it greater than possible damage.
Each risk must have an owner who is responsible for approving your risk treatment plan.
Again, you must document everything, including how you intend on treating each of your identified risks.
Step 6: Implement Controls and Mitigate Risks
At this point, youâll know exactly what your risk exposure is. That means itâs time to produce a Statement of Applicability and a Risk Treatment Plan. These are mandatory reports. They also provide evidence that you conducted a risk assessment.
Your Statement of Applicability (SoA) includes all 114 controls listed in Annex A. Again, some of these controls might not be applicable to you. For instance, there are a number of controls that must be implemented in a physical office environment to control unauthorized access to sensitive information.
The Ultimate Survival Guide to ISO 27001 | 17
One in particular, A.11.1.6, is concerned with delivery and loading areas. If your business doesnât have a delivery or loading area, then this control wouldnât be applicable to you.
In your justification, youâd simply note that the control wasnât applicable. Then, you'd justify why you didnât implement it. For the example above, it would be because your business doesnât have a delivery and loading area. You also need to justify every control you implement and how it mitigates potential risks.
Now for your Risk Treatment Plan. This document outlines your risks and how youâll treat them.
In most cases, youâll be mitigating your risks. That is, putting controls in place to prevent them from happening. But this wonât always be true. There might be opportunities for you to avoid certain risks or even outsource them.
Step 7: Train Your Team
As you start implementing controls and involving more of your team in the ISO 27001 process, youâre going to have to train them. The reality is that your new ISMS will require a new way of working and that will impact everyone.
Whether itâs idle workstation locks or a new clean desk policy, everyone is going to have to do their part. But it shouldnât be complicated. Thankfully, there are plenty of security awareness programs out there with an ISO 27001 flavor. These can automate the process and get your team up to speed fast.
đ Critical Keywords
The Risk Treatment Plan is a document in which you outline how your organization will respond to all risks that were identified in your risk assessment.
The Ultimate Survival Guide to ISO 27001 | 18
Step 8: Review Your Required Documentation
Hereâs where the 24 mandatory clauses come into play. Youâll want to review all required ISO 27001 documentation and update any policies or procedures that need to be changed. Thankfully, much of this documentation exists in templates online. Hereâs an example of an Information Security Policy our Labs team put together, just to get you started. It is a requirement for clause 5.2 of the ISO 21007 standard.
Step 9: Measure, Monitor, Review
You need to continually analyze and review the performance of your ISMS to ensure itâs effective and compliant. Also, try to look for ways to improve your processes and controls. Your ISMS isnât something you can set and forget. It should change with your organization.
Step 10: Conduct an Internal Audit
Running internal audits at planned intervals is a requirement of ISO 27001 (clause 9.2). Itâs also best practiceâespecially if youâre about to do the real deal. The whole process is formalized, per the standard. As such, it requires documentation. One pointer. To save yourself potential headaches in the future, make sure you schedule your internal audits when business is likely to be slow.
Step 11: Get Certified đ
The Ultimate Survival Guide to ISO 27001 | 19
How Tugboat Logic Can Help
The Ultimate Survival Guide to ISO 27001 | 20
| How Tugboat Logic Can Help
đĄDid You Know?
Tugboat Logicâs audit workflow software can reduce audit readiness costs by up to 60%.
If ISO 27001 has you feeling overwhelmed, thatâs totally okay. As we mentioned earlier, your auditor is a wealth of knowledge. Consultants can support your journey to certification too, if thatâs the right path for you.
We can also help. Weâve built the first end-to-end ISO 27001 solution. It makes certification as easy as possible. Hereâs how we do it.
â Readiness Project Scoping Survey: We help you define your ISMS scope by having you answer a few questions about your business.
â Risk Assessment Module: Our platform integrates threats and vulnerabilities from your Risk Assessment into the SoA Module, ensuring your ISMS documents are always in sync.
â Automated SoA Module: We provide recommended justifications for all 114 Annex A controls, real-time implementation statuses and a streamlined SoA review process.
â Policies and Procedures: Create your own policies and procedures or leverage Tugboat Logicâs library of pre-written content.
â ISO 27001 Checklist: Track how youâre doing and tie up any loose ends before you get audited. That way, you can rest assured that youâll have the best possible outcome.
â ISO 27001 Experience: Help when you need it from our team of ex-auditors and compliance experts.
The Ultimate Survival Guide to ISO 27001 | 21
| Conclusion
The objective of this guide was a bold one: to reduce the time and money you spend getting certified. We set out to demystify ISO 27001 and provided a roadmap to help you navigate the process.
Hopefully, we have accomplished all of these things and youâre now ready to kickstart your project with confidence. If so, youâre probably wondering what to do next. Here are three suggestions:
1. Talk to us. Our team of ISO 27001 experts would love to help you in any way they can.
2. Start shopping for an auditor who will be able to guide you through the process.
3. Get a free demo of our ISO 27001 audit workflow solution.
You'll get through this. And you'll come out the other side stronger, more secure, more confident and ready to become the vendor of choice for today's most discerning customers.
Good luck đ
| About Tugboat LogicTugboat Logic is the Security Assurance Platform that provides continuous compliance. It uses automated technology to demystify the process of creating and managing an InfoSec program. With Tugboat Logic, companies can quickly get secure and prove it to customers. Powered by AI, Tugboat Logicâs patent-pending technology automates InfoSec policy creation, audit readiness, and security questionnaire response so companies can gain trust with customers and sell more. Tugboat Logic helps businesses prepare for audits in half the time and at a fraction of the cost, ensures they can respond to security questionnaires in minutes (not hours), and builds and scales their InfoSec plan in minutes.
| Start Selling More TodayInterested in turning your security and compliance program into a business advantage? Get a free trial or contact one of our representatives at [email protected].
Copyright Š Tugboat Logic 2021. All rights reserved.